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Abstract This paper identifies a property of delay-robustness in distributed su- 
pervisory control of discrete-event systems (DES) with communication delays. In 
previous work a distributed supervisory control problem has been investigated on 
the assumption that inter-agent communications take place with negligible delay. 
From an applications viewpoint it is desirable to relax this constraint and iden- 
tify communicating distributed controllers which are delay-robust, namely logi- 
cally equivalent to their delay-free counterparts. For this we introduce inter-agent 
channels modeled as 2-state automata, compute the overall system behavior, and 
then present an effective computational test for delay-robustness. From the test it 
typically results that the given delay-free distributed control is delay-robust with 
respect to certain communicated events, but not for all, thus distinguishing events 
which are not delay-critical from those that are. Another test is proposed to iden- 
tify whether or not an uncontrollable event, which cannot be re-transmitted until 
its communication channel becomes available, will be blocked. The approach is 
illustrated by a workcell model with three communicating agents. 
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1 Introduction 



Distributed control is pervasive in engineering practice, either by geographical 
necessity or to circumvent the complexity of centralized (also called 'monolithic') 
control. Existing work on distributed supervisory control of discrete-event systems 
(DES) has focused on synthesis of local controllers for individual agents (plant com- 
ponents) such that the resulting controlled behavior is identical with that achieved 
by global supervision [l}j6] • In these contributions, it is assumed that agents make 
independent observations and decisions, with instantaneous inter-agent communi- 
cation. While simplifying the design of distributed control, this assumption may be 
unrealistic in practice, where controllers are linked by a physical network subject 
to delays. Hence, to model and appraise these delays is essential for the correct 
implementation of control strategies. 

The communication problem in decentralized control of multi-agent DES has 
been discussed by several researchers. Taking delays into consideration, Yeddes et 
al. [7] propose a 3-state data transmission model, representing delays by timed 
events with lower and finite upper time bounds; these events are incorporated into 
the plant and specification automata, and the time bounds further restricted by 
a supervisor synthesis procedure; maximal permissiveness and nonblocking, how- 
ever, are not guaranteed. In [8] Barrett and Lafortune propose an information 
structure model for analysis and synthesis of decentralized supervisory control, 
applicable in principle to the case of communication delays, but they assume that 
such delays are absent. For a limited class of specifications, Tripakis [9] formulates 
certain problems in decentralized control with bounded or unbounded communi- 
cation delay, modeling the system with communication by automata with state 
output map. In this model the existence of controllers in case of unbounded de- 
lay is undecidable; however, it will be shown in this paper, that given controllers, 
designed under the assumption that communication delay is negligible, can solve 
the distributed control problem with unbounded communication delay under suit- 
able conditions. Park and Cho [ToJ present a necessary and sufficient condition, in 
which 'delay-coobservability' is the critical concept, for the existence of a nonblock- 
ing decentralized supervisor that can achieve a given language specification under 
communication delays when the decentralized supervisor is assumed to have a con- 
junctive and permissive decision structure; however, the class of delay-coobservable 
languages is not closed under union; hence, maximal permissiveness is not guaran- 
teed. Hiraishi |11 proposes an automaton formalism for communication with delay 
in decentralized control, and concludes semi-decidability of the controller design 
problem in the case of k-bounded delay and in case an observability condition 
holds for state-transition cycles. 

In contrast with the foregoing contributions, distributed control problems with 
separately modeled communication channels having unknown unbounded delay, 
imposed on an existing distributed architecture known to be optimal and non- 
blocking for zero delay, seem not yet to have been investigated. Further discussion 
on communication channels will be presented in Sect. [3] In this paper we start 
from the DES distributed control scheme called 'supervisor localization' reported 
in [5j[6], which describes a systematic top-down approach to design distributed 
controllers which achieve optimal and global nonblocking supervision. Briefly, the 
initial control problem is the standard 'Ramadge-Wonham' (RW) problem [12 
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Here the plant (DES to be controlled) is modeled as the synchronous product of 
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several DES agents (plant components), say AGENTi, AGENT2, that are 
independent, in the sense that their alphabets Si, S2, ■ are pairwise disjoint. 
In a logical sense these agents are linked by specifications SPECi, SPEC2, 
each of which (typically) restricts the behavior of an appropriate subset of the 
AGENTi and is therefore modeled over the union of the corresponding subfamily 
of the Si. For each SPECj, a 'decentralized' supervisory controller SUPj is com- 
puted in the same way as for a 'monolithic' supervisor |12 ; it guarantees optimal 
(i.e. maximally permissive) and nonblocking behavior of the relevant subfamily 
(the 'control scope' of SPECj) of the AGENTi In general it will turn out that 
the synchronous product of all the SUPj is blocking (e.g. may cause deadlock in 
the overall controlled behavior); in that case one or more additional 'coordinators' 
must be adjoined to suitably restrict the decentralized controlled behavior (see [6] 
for an example). Techniques for coordinator design are available in the literature 



(e.g. [15 18 ). On achieving satisfactory decentralized control we finally 'localize' 
each decentralized supervisor, including the coordinator(s), if any, to the agents 
that fall within its control scope; the algorithm that achieves this is detailed in [5] , 
and we shall refer to it as Localize. The result of Localize is that each AGENTi 
is equipped with local controllers, one for each of the SPECj whose scope it falls 
within; in that sense AGENTi is now 'intelligent' and semi-autonomous, with 
controlled behavior SUPLOCi, say, while the synchronous product behavior of 
all the SUPLOCi is provably that of the monolithic supervisor for the RW prob- 
lem we began with. Autonomy of the SUPLOCi is qualified, in that normally 
the transition structure of each SUPLOCi will include events from various other 
AGENTk with k ^ i. The implementation of our distributed control therefore 
requires instantaneous communication by AGENT^ of 'communication' events 
(when they occur, in its private alphabet Sk) to SUPLOCi so the latter can 
properly update its state. Think of a group of motorists maneuvering through 
a congested intersection without benefit of external traffic control, each instead 
depending solely on signals from (mostly) neighboring vehicles and on commonly 
accepted protocols. In our DES model each SUPLOCi can disable only its pri- 
vate controllable events, in Si , but the logic of disablement may well depend on 
observation of critical events from certain other AGENTk , as remarked above. 
It is clear that if these communications are subject to indefinite time delay, then 
control may become disrupted and the collective behavior logically unacceptable. 
Our first aim is to devise a test to distinguish the latter case from the 'benign' 
situation where delay is tolerable, in the sense that 'logical' behavior is unaffected, 
even though in some practical sense behavior might be degraded, for instance 
severely slowed dowrQ 

As will be seen in Sect. [3] where the model of our communication channel 
is introduced, there is an implicit constraint that a channeled event (i.e. a com- 
munication event transmitted by a channel with indefinite delay) can occur and 
be transmitted only when its channel is available. As a consequence, an uncon- 
trollable channeled event may or may not be blocked by its channel, the former 
case being undesirable. Our second aim is to distinguish these two cases; when an 
uncontrollable event is indeed blocked, we discuss how long it can be delayed. 



1 Similar issues are add ressed in the literature on ' del ay-insensitive' asynchronous networks; 
for the definition see [19] and for a useful summary [20] . 
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We proceed to a formal review of distributed control by supervisor localization 
on the assumption of instantaneous inter-agent communication. Then we intro- 
duce inter-agent communication with delay, modeled by a separate logical channel 
for each delayed communication event (i.e. channeled event). As our main result, 
both a definition and a computational test are provided for 'delay-robustness' of 
the channeled distributed system with respect to an arbitrary subset of communi- 
cation events. In addition, a verification procedure is proposed to identify whether 
or not an uncontrollable channeled event is blocked by its channel. These issues 
are illustrated by a workcell model with three communicating agents. Finally we 
present conclusions and suggestions for future work. 



2 Preliminaries 

2.1 Notation 

Following the usage of [l4] we recall various standard concepts and notation. Con- 
sider a system G of n component DES Gi = {Qi, Si, m, qm, Qi m ), i G N := 
{1,2, ...,n}, where Qi is the (finite) state set, Si is the (finite) set of event labels, 
r\i : Qi x Si — > Qi is the state transition (partial) function, qio is the initial state, 
and Qim C Q is the set of marker states. Each event set Si is partitioned as 
the disjoint union Si = Si c U Si u where Si c (resp. Si u ) is the subset of control- 
lable (resp. uncontrollable) events for Gi; the full event set for G is the union 
S = U{Si\i G AO- 
Let S* denote the set of all finite strings of elements in Si, including the 
empty string e, and as usual extend the transition function r\i to Qi x S* , by 
defining r\i{qi,e) = qi , rn(qi,sa) = r] i (rj l (q l , s) , a) for all q t e Qi, s G S* and 
a G Si. The prefix closure of a language L(C S*) is defined as L = {s G S*\su G 
L for some u G S*}. The closed behavior said the marked behavior of Gi are defined 
respectively by L(Gi) = {s G S*\rji(qiQ, s)\ (is defined)} and L m (G- 1 ) = {s G 
L(Gi)\r]i(qio,s) G Qim)- 

As in [5][6] we assume that the Gi are a "priori independent, in the sense that 
their alphabets Si are pairwise disjoint. The system G representing their combined 
behavior is defined to be their synchronous product |14| G = (Q, S,rj,qo,Q m ) = 
Sync(Gi, G n ^] The closed behavior and marked behavior of G are L(G) = 
||{L(Gi)|z G N} and L m (G) = ||{L m (Gi)|z G N} where || denotes synchronous 
product of languages 14 . Assume each Gi is trim (i.e. reachable and coreachable, 
see 



14 



then by independence, G is trim, i.e., L m (G) = L(G) |14| . 
Let S C S be a subset of events thought of as 'observable'. We refer the reader 
to 14 for the formal definition of natural projection P : S* — > S*, DES isomor- 
phism, G-controllability, (G, P)-observability, and the supremal quasi-congruence 
relation. Simply stated, natural projection P on a string s G S* erases all the oc- 
currences of a G S in s such that a ^ S , namely Pa = e (the empty string); P is 
implemented as Project(G, Image /Null\\), which returns a (state-minimal) DES 
PG over S such that L m (PG) = PL m (G) and L(PG) = PL(G). Two DES 
are isomorphic if they are identical up to relabeling of states; G-controllability is 



2 We may safely assume that the implementation Sync of synchronous product is always 
associative and commutative; for more on this technicality see ( [14], Sect. 3.3). 
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the property required for a sublanguage of L m (G) to be synthesizable by a su- 
pervisory controller; observability says that if two strings 'look the same' (have 
the same projection under P), then a control decision rule that applies to one 
can be used for the other; while projection modulo supremal quasi-congruence 
produces a (possibly nondeterministic) abstraction (reduced version) of a DES G, 
denoted Supqc(G, Image/Null[]), which preserves observable transitions and the 
'observer' property |21||22|. A s detailed in [l4] these operations are available in a 
software implementation [23] and will be referred to here as needed. 



2.2 Distributed Control without Communication Delay 

Next we summarize the distributed control theory (assuming zero communication 
delay) reported in |5,6 . First suppose G is to be controlled to satisfy a specification 
language L m (SPEC) C E* represented by a DES SPEC. Denote by K C E* the 
supremal controllable sublanguage of L m (G) n L m (SPEC) (for details see |14|). 
Assume K is represented by the DES SUP, which can be computed (e.g. in the 



software 23 ) as 

SUP = Supcon(G, SPEC); (1) 

thus SUP has marked behavior L m (SUP) = K and closed behavior L(SUP) = 
K. 

Since G = Sync(Gi, G n ) is the synchronous product of independent com- 
ponents we seek to implement SUP in distributed fashion by 'localizing' SUP 
to each Gi as proposed in 5,6. For this we bring in a family of local controllers 
LOC = {LOCi\t £ N}, one for each Gi, and define L(LOC) = ||{L(LOCi)|i £ 
N} and L m (LOC) = ||{L m (LOCi)|i e N}. LOC can be computed (see [M]) as 
LOC = Localize(G, SUP); and it is shown in [5j[6] that 



L(G) n L(LOC) = L(SUP) (2a) 
L m (G) n L m (LOC) = L m (SUP) (2b) 

Generally, each local controller has a much smaller state set than SUP and a 
smaller event subset of E, containing just the events of its corresponding plant 
component, together with those ('communication') events from other components 
that are essential to make correct control decisions. 



3 Distributed Control with Communication Delay 

Cai and Wonham (HI discuss a boundary case of optimal distributed control that 
is fully-localizable where inter-agent communication is not needed, namely the 
alphabet of each local controller LOCi is simply Ei, so that LOCi observes only 
events in its own agent Gi. In this case, no issue of delay will arise. The more 
general and usual case is that inter-agent communication is imperative. 

For simplicity assume temporarily that the system G consists of two compo- 
nents Gi and G2, and let the monolithic supervisor SUP (in (fl])) be given. Using 
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Localize compute local controllers LOCi with event set £loC! and LOC2 with 
event set £loc 2 > an d then the local controlled behaviors 

SUPi = Sync(Gi, LOCi) (3) 

SUP 2 = Sync(G 2 , LOC 2 ). (4) 



By the localization theory of [5j[6] we know that their synchronized behavior, say 
LOCSUP = Sync(SXJPi, SUP2), will agree with that of the monolithic control 
SUP (in 0), namely 

Isomorph(LOCSU~P, SUP) = true. (5) 

In the general localization theory (instantaneous) inter-agent communication is 
both possible and necessary, so the alphabet Sj^oc^ of LOCi (resp. LOC2) will 
include elements (communication events) from £2 (resp. £1) as well as events 
from its 'private' alphabet £\ (resp. £2). Let £ C om,i (resp. £ CO m,2) represent the 
set of communication events from £2 (resp. £±), i.e £ CO m,i = ^LOCj — £1 (resp. 
£com,2 = £loc 2 — £2); then the set of communication events in LOCSUP (i.e. 
SUP) is 

£com = ^com,l U £com,2- (6) 

By ^ and Q, the alphabet £ S \jp 1 of SUPi is 

^SUPi = £lU Scorn, 1, (7) 

and the alphabet £sup 2 of SUP2 is 

^SUP 2 = £2 U £ C om,2- (8) 

We say that a communication event in £ CO m,i is imported from G2 by LOCi 
(resp. .Scom, 2, Gi and LOC2). 

Next we model the way selected communication events are imported with in- 
definite time delay and call such events channeled events. Let £ c hn represent the 
set of channeled events; then £ c hn ^ £c.om (£com is defined in (J6|). For example 
assume that communication event r in £2 is transmitted to LOCi from G2 via 
a channel modeled as the (2-state) DES C2rl in Fig. 1 5 then r is a channeled 



event. In the transition structure of LOCi, hence also of SUPi, we replace every 
instance of event r with a new event r' , the 'output' of C2rl corresponding to 
input r (we call r' the signal event of r); call these modified models LOCi, SUPi. 
Thus if and when r happens to occur (in G2) C2rl is driven by synchronization 
from its initial state into state 1; on the eventual (and spontaneous) execution 
of event r' , which resets C2rl to state 0, the execution of r' will be forced by syn- 
chronization in LOC'i, hence in SUPi; of course each of the latter DES must be 
in an appropriate state for such synchronization to occur, namely exactly a state 
in which r was enabled originally in LOCi and SUPi. In the standard untimed 
model of DES employed here, the 'time delay' between an occurrence of r and 



3 Communications among local supervisors can be modeled in different ways, e.g. |7f [ll] ■ 
Although in the 2-state automaton model, an event cannot be transmitted unless its channel 
is available, we select this model because it has simpler structure (2 states and 2 transitions), 
transmits events separately, and leads to a positive result (with this model, the local super- 
visors with communication delay achieve optimal and nonblocking supervision under suitable 
conditions). 
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r 




r' 

Fig. 1 Communication Channel C2rl (In the transition diagram of a DES, we use the circle 
with — ► to represent the initial state and double circle to represent the marker state.) 

r' is unspecified and can be considered unbounded; indeed, nothing in our model 
so far implies that r necessarily ever occurs at all because, subsequent to the 
occurrence of r in G2, SUP^ might conceivably move to states (by events other 
than r') where r' can never be executed. As a convention, the control status of r 
(controllable or uncontrollable) is taken to be that of r. Suppose in particular that 
r in S2 is controllable. Since LOCi has 'control authority' only over controllable 
events in its private alphabet Si, LOCi never attempts to disable r' directly; r' 
can only be disabled implicitly by the 'upstream' disablement by LOC2 of r. 

In general LOCi 'knows' that r has occurred in G2 only when it receives r'; 
meanwhile, other events may have occurred in G2- The only constraint placed 
on events in G2 is that r cannot occur again until r' has finally reset C2rl 
and the communication cycle is ready to repeal]^] In other words, event r will be 
delayed in re-occurring until the channel used to transmit event r is again available. 
If event r is controllable, it can be disabled or delayed by the local controller 
LOC2; but if event r is uncontrollable, the constraint placed on G2 will require 
that r' should reset C2rl before r can occur again, possibly in violation of the 
intended meaning of 'uncontrollable'. This issue will be discussed in Sect. |3.3| The 
channel C2rl is not considered a control device, but rather an intrinsic component 
of the physical system being modeled; it will be 'hard-wired' into the model by 
synchronous product with Gi and G2- 

Continuing with this special case we consider the joint behavior of Gi, G2 
and C2rl under control of LOC'i and LOC2, namely 

SUP' : = Sync(Gi, LOCi, C2rl, G 2 , LOC 2 ) 

= Sync^SUPi, C2rl, SUP 2 ) (9) 

defined over the alphabet ~E\ U {r 1 } U £2- We refer to SUP' as the channeled 
behavior of SUP (in ([!])) with r being the channeled event (i.e. E c hn = {?"})■ 



3.1 Delay-robustness and Delay-criticality 

In this subsection, we formalize the definition and present an effective computa- 
tional test for delay-robustness. 

Of principal interest is whether or not the communication delay between suc- 
cessive occurrences of r and r is tolerable in the intuitive sense indicated above. 



4 In a more fine-grained model we could set r' = f2i r i2 wnere r' 21 signals to LOC^ the 
occurrence of r in G2, while r' 12 represents an acknowledgement to LOC2 that r' 2 i has occurred 
in SUP'j . Here the accumulated delay is assumed to be captured by C2rl modeled just with 
r'. 
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Let Ssig be the set of new events introduced by the communication channel, 
in which each element is the signal event of an event in £ c hn> i- e - 

Ssig = {cr |<7 £ £ c hn, a is the signal event of a}. (10) 



In SUP' (in (j9j)), E chn = {r} and I7 sl9 = {/}. Then the event set of SUP' will 
be E' = E U Ssig = TU {/}. Let P : E'* ->• be the natural projection of £'* 
onto 17* 14 , i.e. P maps r' to e (empty string). 

To define whether or not SUP' with alphabet E' has the same behavior as 
SUP, when viewed through P, we require that 

1. anything SUP can do is the P-projection of something SUP' can do (SUP' 
is 'complete'); and 

2. no P-projection of anything SUP' can do is disallowed by SUP (SUP' is 

'correct'). 

For completeness we need at least the inclusions 

PL(SUP') D L(SUP) (11) 
PL™(SUP') D L m (SUP) (12) 

In addition, however, we need the following observer property of P with respect 
to SUP' and SUP. Suppose SUP' executes string s e L(SUP'), which will be 
viewed as Ps £ L(SUP). As SUP is nonblocking, there exists w £ S* such that 
(Ps)w £ L m (SUP). For any such w 'chosen' by SUP, completeness should require 
the ability of SUP' to provide a string v £ U'* with the property Pv = w and 



sv £ L m (SUP'). Succinctly (cf. 14 22 ) 



(Vs £ E'*)(Vw £ £*) s £ L(SUP') & {Ps)w £ L m (SUP) 

^(3v £ £'*) Pv = w & sv £ L m (SUP'). (13) 

Remark 1 In ( [14], Chapt. 6), P is defined to be an L m (SU~P') -observer if 

(Vs £ E'*)(Vw £ E*) s £ L(SUP') & (Ps)w £ PL m (SUP') 
^{3v £ E'*) Pv = w k sve Lm(SUP'). 

It is clear that when PL m (SUP') = L m (SUP), the observer property of P with 
respect to SUP' and SUP is identical with the L m (SUP')-observer property of 
P. 



Briefly, we define SUP' to be complete relative to SUP if (XT]), <[l2J) and ([13 1 
hold. 

Dually, but more simply, we say that SUP' is correct relative to SUP if 

PL(SUP') C L(SUP) (14) 
PL m (SUP') C L m (SUP) (15) 



To summarize, we make 
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Definition 1 For given SUP' in ^ and S chn = {r}, SUP (in Q) is delay- 
robust relative to S c hn provided SUP' is complete and correct relative to SUP, 



namely, formulas ( 11 1-( 15 ) hold, or explicitly 



PL(SUP') = L(SUP) 
PL m (SUP') = L m (SUP) 
P has the observer property ( 13 1 with respect to SUP' and SUP. ( 13 Dis 



(16) 
(17) 



The following example shows why the observer property is really needed; for if 



that of SUP. 



(161 and (171 hold, but (13) fails, SUP' may have behavior distinguishable from 



Example 1 Let SUPi and SUP2 be the generators shown in Fig. [2] assume event 
20 in SUP 2 is exported to SUPi, i.e., r = 20 and r' = 120; SUPi is obtained 
by replacing 20 in SUPi by 120, and SUP' is obtained by ([9]). By inspection of 
Fig. |3j ( |16[ ) and (17 1 are verified to hold. However, we can see that (13) fails. Let 
s = 20.10.120.12 £ L(SUP'); then Ps = 20.10.12. Now (Ps).ll = 20.10.12.11 <E 
L m (SUP); but there does not exist a string v such that Pv = 11 and sv £ 
L m (SUP'). Thus, SUP can execute 11 after Ps, but SUP' cannot execute 11 
after s. This shows that SUP' has behavior distinct from that of SUP. 



Since SUP is a nonblocking supervisor, delay-robustness of SUP also requires 
that SUP' should be nonblocking, i.e. 



L m (SUP') = L(SUP'), 



(18) 



as can easily be derived from (13 1,(16 1 and (17 1. The following example shows 
that if delay-robustness fails, then transmission delay of r can lead to blocking in 
SUP'. 



Example 2 Let SUPi and SUP2 be the generators shown in Fig. |4j and assume 
event 22 in SUP 2 is exported to SUPi, i.e., r = 22 and r' = 122; SUPi is 
obtained by replacing 22 in SUPi by 122. Then SUP is nonblocking, but SUP' 
obtained by ^ is blocking, as shown in Fig. [5] To see why, start from the initial 
state, and suppose event 22 has occurred in SUP2 but that SUPi has not re- 
ceived the corresponding event 122. Then SUPi may execute event 13, which is 
immediately observed by SUP2; however, if 13 occurs, SUPi and SUP2 cannot 
accomplish their task synchronously; hence the system blocks. 
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Given SUP, S c hn, ^si g and SUP', we wish to verify whether or not SUP is 
delay-robust relative to S c hn- For this we need the concept of "supremal quasi- 
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congruence" [14||21| and the operator Supqc [14] which projects a given DES over 
the alphabet £' to QCDES, the corresponding quotient DES over S* = P(U'*). 
We denote the counterpart computing procedure by 

QCDES = Supqc(DES,Null[P]) 

where Null[P] is the event subset S' — £ that P maps to the empty string e; 
for details see |l4| 5 | Let QCDES = (Z, E, C, z , Z m ). In general QCDES will be 
nondeterministic and include silent (e— ) transitions. If no silent or nondeterminis- 
tic transitions happen to appear in QCDES, the latter is said to be 'structurally 
deterministic'. Formally, QCDES is structurally deterministic if, for all z £ Z and 
s £ E* , we have 

C(*,a)/0=>|C(*,s)| = L 

It is known that structural determinism of QCDES is equivalent to the con- 
dition that P is an L m (DES)-observer (cf. ( [li], Theorem 6.7.1)). 

Given deterministic generators A and B over the same alphabet, we write 
A C B iff Lm(A) C L m (B) and L(A) C L(B); and A ss B to mean both (A C B) 
and (B C A). Using standard computing tools (e.g. 14 1) for DES isomorphism 
and minimal (Nerode) state reduction we have that A w B iff 

I somorph(Minstate(A) , Minstate(B)) = true. 

Clearly, is transitive, i.e, for given A, B and C, 

A«B&B«C=^A«C. 

Now let SUP = (X,E,£,x ,X m ) (in @), SUP' = (Y, E', rj, yo, Y m ) (in (§). 

Let 

QCSUP' = Supqc(SUP' , Null[r'\) 

where Supqc maps r' to e and write QCSUP' = (Y, S,rj,y Q ,Y m ). 

The following theorem provides an effective test for whether or not the com- 
munication delay is tolerable, i.e., SUP is delay-robust. 

Theorem 1 SUP is delay-robust relative to S c hn (= {r} ) if and only if QCSUP' 
is structurally deterministic, and isomorphic to SUP. 

As indicated above, QCSUP' can be computed by Supqc and isomorphism 
of DES can be verified by I somorph. Hence, Theorem [l] provides an effective 
computational criterion for delay-robustness. Before Theorem [l] is proved, a spe- 
cial relation between QCSUP' and PSUP' must be established; a proof is in 
Appendix [Aj 

Proposition 1 If QCSUP' is structurally deterministic, then it is a canonical 
(minimal- state) generator for PL m (SUP'). 



5 This procedure can also be phrased in terms of 'bisimulation equivalence' [24], as explained 
in [2l]. 
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Proof of Theorem^ (If) From Proposition[T] QCSUP' is a minimal state genera- 
tor of PL m (SUP'). So, QCSUP' « PSUP 7 ^ As QCSUP' is isomorphic to SUP, 
QCSUP' w SUP. Hence, SUP « PSUP', i.e. formulas (p]) and @ both hold. 
For (131, since QCSUP' is structurally deterministic ( [14] , Theorem 6.7.1), P is 
an L m (SUP')-observer; by Remark[l]and ( |l7[ ), P has the observer property with 
respect to SUP' and SUP. Thus by Definition]!] SUP is delay-robust relative to 

^-*chn ■ 

(Only if) By Remark [I] condition ( 13 1 and formula (|17j imply that P is 
an L m (SUP')-observer; thus QCSUP' is deterministic ( |14|). By Proposition [l] 
QCSUP' « PSUP'. Formulas Q and <[lT|) say that PSUP' w SUP. Hence 
QCSUP' « SUP. Finally, we conclude that QCSUP' is isomorphic to SUP. □ 



We have now obtained an effective tool to determine whether or not SUP is 
delay-robust relative to S c hn = {r}. If SUP is not delay-robust relative to r, we 
say that r is delay-critical for SUP . In that case, communication of r (with delay, 
as r ) could result in violation of a specification. If r is delay-critical, and if such 
violation is inadmissible, then r must be transmitted instantaneously to the agent 
(in this case, LOCi) that imports it - where "instantaneous" must be quantified 
on the application-determined time scale. 



3.2 Delay-robustness for Multiple Events 

In this subsection, we consider delay-robustness for multiple events. First, we adopt 
the result of Theorem[T]as the basis of a new definition and extend delay-robustness 
naturally to multiple events. Then we prove that delay-robustness of a set R2 (of 
multiple events) implies that delay-robustness holds for any subset of i?2- 

Definition 2 Let R2 C E2 be a subset of events r imported from G2 by LOCi 
via their corresponding channels C2rl (i.e. £ c hn = R2), and let SUPi be modified 
to SUPi by replacing each r by its transmitted version r' as before. Let 

SUP' := 5ync(SUPi,{C2rl|r <E i? 2 },SUP 2 ). 

Then SUP is delay-robust relative to the event subset R2 provided 

Isomorph(Supqc(S\JP' , Null[{r \r € R2}}), SUP) = true. 

Note that the property of SUP described in Definition [2] is stricter than in 
Definition [I] that SUP is delay-robust with respect to each event r G R2 taken 
separately does not imply that SUP is delay-robust with respect to R2 as a subset; 
however, that SUP is delay-robust with respect to R2 does imply that SUP is 
delay-robust with respect to each separate event r 6 i?2- The former statement 
will be illustrated in the WORKCELL example in Sect. [4] We confirm the latter 
as follows. 

Theorem 2 Let R2 = {qi, a n } and let Ai = {ai, on) (1 < i < n). If SUP 
is delay-robust with respect to A n (= Ri), then SUP is delay-robust with respect 

to An-l (= A n - {a n }). 
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J SUP' 




Fig. 6 P A , and P a , 



SUP 



By Theorem [2j if SUP is delay-robust with respect to i?2, then it is delay- 
robust with respect to the subset A n — {on} for arbitrary on. Applying Theorem [2] 
on subsets of R2, we conclude that 

Corollary 1 If SUP is delay-robust with respect to R2, then it is delay-robust 
with respect to any subset of R2 ■ 

Let SUP A . be the channeled behavior of SUP with exactly the events in Ai 
being channeled events (A^ is the event set of signal events corresponding to events 
in Ai), i.e. 



SUP A . = %nc(SUPi,{CH a |a G A^SUP'a) 



(19) 



where SUP^ (k = 1, 2) is obtained by replacing a in SUPk by a' (a is the signal 
event of a) and CH Q is the communication channel for a. £sup' a = ^sup U A\ 
is the event set of SUP A . 

Remark 2 If a%+i G -E'suPd then 

SUP Ai+1 = 5yn C (SUPi',{CH Q |a G A !+ i},SUP2) 

= 5ync(SUPi',CH Qi+1 ,Sync({CH a | Q! G A^SUPa)) 

where SUP^' is obtained by replacing cti+i in SUP^ by So SUP A . +1 can be 

treated as the channeled behavior of SUP A . with a»+i being the only channeled 
event and CH ai+1 its communication channel. 

Define natural projections Pa<. '■ ^sup^. ~~ ^ ^sup which maps a G A[ to e 
(empty string) and P a > : -Sgup' ~~ ^ ^sup' which maps to e; then we have 



(20) 



as shown in Fig. [6j 

By definition of delay-robust (Definition [l]) , we must verify (131, (161 and (171 
for SUP, SUP An i and P A ' n _^ i-e. 

L(SUP) = P A; _ i L(SUP An _ 1 ), (21) 
L m (SUP) = PA^LmiSUP'A^J, (22) 
Pa' ti _ 1 has the observer property with respect to SUP and SUP An l . (23) 
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si ce„ ■ ■ ■ s k a n s k+1 v 

SUPk - — O -O O O O O O — -® 

Fig. 7 (SUP^ ) => t«> ^ L ra (SUP^) (An arrow with a vertical bar 

represents that the corresponding transition with a string or an event is not 
defined.) 



SUP'. 



si a„ ... s k a n s k+1 a 

— o — o — o — o — *o — o — o 



TTTttTTT 

sup' a „ <D — j0".".*0 O rO -Oh — O 

si a n a' n s k a n a n s k+i w 



Fig. 8 scr £ L(SUP A ) => tw £ L(SUP An ) 



Equations (211 and (22) can be proved from the process of obtaining SUP A 
and SUP An , and the relationships among P A / t , P a ^ and shown in Fig. |6j 
Condition ( 23 1 cannot be obtained from the observer property of Pa 1 (with respect 
to SUP and SUP An ), since SUP An has more complex structure than SUP A , 
inasmuch as the component SUP^ (suppose a n is imported by SUP'} from G2) 
in SUP An receives the occurrence of a n (i.e. a n ) with indefinite delay, but Pa> 
has the same image (observable event set) as P A > i , as shown in Fig. |6j So, we 



prove (231 by contraposition as follows: a 'bad' string in L(SUP A ) (causing 



Pa' 1 to fail to have the observer property (23)) implies the existence of a 'bad' 
string in L(SUP An ) (causing Pa' to fail to have the observer property). For 
this, we need the following lemmas, proved in Appendix [B} Lemma [T] shows the 
relationship between SUP Al l and SUP A . . Lemmas [2] and |3j show that if a string 
s £ L(SUP An _ i ) causes Pa 1 _ t to fail to have the observer property, then there 
exists t £ L(SUP An ) corresponding to s showing that Pa' fails to have the 
observer property: as described in Fig. |7j Lemma[2]says that if in SUP An _ 1 there 
is a string s which cannot lead to a marker state by v £ £g Upl , then in 

A n — 1 

SUP An there exists a string t corresponding to s such that if P Q < w = v, then t 
cannot arrive to a marker state through w; as in Fig. [8j Lemma [3J says that if in 
SUP An _ 1 there is a string s after which a £ igup^ is n °t defined, then in 

SUP An _ i there exists a string t corresponding to s such that if P a > w = a, then 
w is not defined after t. 

Lemma 1 Let SUP A ^ represent SUP. For 1 < i < n, 

L(SUP Al _ 1 )CP Q ,L(SUP Ai ) 
L m (SUP Ai _J C P a ,L m (SUP' Ai ) 
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Lemma 2 Suppose there exist s G L(SUP^ n _ i ) and v G ^sup' a such that 
fa n (ti) = and sv (£ L m (SUPA n _ 1 ). Then there exists t G L(SUP^ n ) such that 
P a ' n t = s and for any w G -^sup^ if Pa' n ui = v, then tw i m (SUPA n ). 

Lemma 3 Suppose there exist s G L(SUP^ _, ) and a G -Esup' such that 

n A n— 1 

sa (£ L(SUPA n l ). Then there exists t G L(SUPA n ) such that P a > t = s and for 
any w G ^sup' a */ Poi' n w = a, then tw L(S\JP'j± n ). 

Proof of Theorem^ By definition of delay-robust, we must prove (21 1, ( |22[ ) and 
((231. 

(1) For |(2l} , we first show that L(SUP) C P„_iL(SUP'). By Lemma[l] 

L(SUP)CP a ,L(SUPkJ 

CP Q ,(P Q ,L(SUPk 2 )) 

C P a , i P a , 2 ...P < _ i L(SXJP' An _ 1 ) 

= P A; _ i L(SUPk„_ 1 ) (by(20|) 

Similarly, L(SUP^ n _J C P a /L(SUP^J. So, 

P A; i X(SUPk„_J CP A; _ a (P a;> L(SUPkJ) 
=P^L(SUPk„) 

CL(SUP). (since SUP is delay-robust with 
respect to R2 (i.e. A n ) 

Hence, L(SUP) = P A; _ i L(SUP^ n _ i ). 

(2) Equation (22) is proved similarly. 

(3) For (23), we prove the contrapositive. 

Assume that Pa 1 i does not have the observer property with respect to SUP 
and SUP^ n i , i.e. there exist s G L(SUP^ n _ i ) and w G S* such that {Pa 1 1 s)w G 
L m (SUP) and for all v G ^sup^ 1 either Pa^v /mors^ L m (SUPA n _ l ). 
Thus, for all v G £g UP ; , if Pa' v = w, then sv (£ ^(SUP^J. Let 

#ctn{v) = m; we consider the following two cases. 

(i) m = 0. By Lemmapl there exists t G L(SUP^ n ) such that P a i (t) = s and 
for any u G -S'sup^ ^ P^> n u = v, then tu (fi L m (SUPA n ). However, PA' n (tu) = 

PA n _ 1 '(P a ' n i tu )) = p An-i'( sv ) = p A n _ 1 '(s)w G L m (SUP). Hence, P A > n does not 
have the observer property with respect to SUP and SUP ^ n • 

(ii) m > 0. Write v = via n V2 where #a n (v2) = 0. Let s' = sv\a n . If s' G 
L(SUPa„_ 1 ), by Lemma [2] there exists t G L(SUPaJ such that P a > n (t) = s' 
and for any u G ^sup^ ^ Pa' n u = ^2, then tu L m (SUP' An ). So in this case 
Pa' does not have the observer property with respect to SUP and SUP^ n . If 
s' L(SUPa ), then because s G L(SUPa ii _ 1 ), there must exist vu,vi2 G 
£g UP ^ and a G £sup^ such that v\ = v\\avi2 and sun G ^(SUP^J, 
but sv\\a (fi L(SUPa i1 _ 1 ). By Lemma|3j there exists t G ifSUP^) such that 
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P a ' n (t) = svix and for any u G £g UP ^ if P a ' n u = then tu L(SUPA n ). So, 
tuv\2Ct n V2 L m (SUP^ ). However, 

PA> n (tuVl2a n V2) = P An _ 1 > (P a ' n {tuVl2CtnV2)) 

= Pa^-l' {svuavi2a n V2) 

= P An _ i ,(s)we L m (SUP). 

Hence, P^/ does not have the observer property with respect to SUP and SUP An . 

In both cases, the results contradict the assumption that SUP is delay-robust 
with respect to R2 (= A n ); hence (23) holds after all. We conclude that SUP is 
delay-robust with respect to A n -±, as claimed by Theorem [2j □ 

Finally, we define delay-robustness with respect to both channeled commu- 
nication of S C om,i from G2 to LOCi and channeled communication of E CO m : i 
from Gi to LOC2, i.e. S c hn = Ecom = Ecom,i U S CO m,2 (as in (|6|). In obvious 
notation, let 

SUP' := Sync(SUPi, {C2rl|r G Z com ,i}, {Clr2|r G r com , 2 }, SUP' 2 ). 

Definition 3 SUP is delay-robust for distributed control by localization provided 
the projected channeled behavior 

Supqc(SUP', Null[ {r\'\r\ G S com ,i} U {r2>2 G ^ CO m, 2 } ]) 

is isomorphic to SUP. 

Delay-robustness in the sense of Definition [3] represents an ideal which is too 
strong a property to be expected in most practical situations. We discuss this issue 
in the light of the WORKCELL example in Sect. [4] 

We note in passing that all the above results can be extended to decentralized 
controllers; for details see Appendix [C] 



3.3 Bounded and Unbounded Delay 

The foregoing discussion of delay robustness covers channeled events in general, 
regardless of their control status, and is adequate if all channeled events happen to 
be controllable. In the case of uncontrollable channeled events, however, we must 
additionally examine whether channel delay introduces undesirable side effects 
or violates the conventional modeling assumption that uncontrollable events may 
occur spontaneously at states where they are enabled and should not be subject 
to external disablement. To this end, in the rest of this section we consider the 
re-occurrence of an uncontrollable channeled event, and then distinguish delay- 
robustness as bounded or unbounded according to whether such an event is blocked 
or not by its communication channel. 

In our model the transmission of r from G2 to LOCi is completed (by event r ) 
with indefinite (unbounded) delay. A constraint imposed on SUP' by the channel 
C2rl is that r cannot occur again until r' has reset C2rl and the communication 
cycle is ready to repeat. If r is controllable its re-occurrence can be disabled and 
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hence delayed until after the occurrence of r' corresponding to the previous occur- 
rence of r. If, however, r is uncontrollable, then once it is re-enabled (by entrance 
of SUP2 to a state where r is defined) its re-occurrence cannot be externally 
delayed, according to the usual modeling assumption on uncontrollable events. In 
this sense the introduction of C2rl could conceivably conflict with the intention 
of the original DES model. To address this issue we examine (1) whether the (un- 
preventable) occurrence of an uncontrollable channeled event might violate the 
problem specification, and (2) whether communication delay of an uncontrollable 
event might violate a modeling assumption. 

We refer to case (1) as an implementation fault (or simply fault), namely an 
uncontrollable channeled event r is executed by SUP' despite the fact that, after 
the last previous occurrence of r, its channel is still waiting at state 1 for the reset 
event r' . Assume that SUP is delay-robust with respect to r. It will be shown that 
a fault will not cause violation of the specification, namely the fault is accepted 
by (i.e. defined in) SUP. 

Let the DES 

C2rl = ({0,l},{r,/},«5,0,{0}); (24) 
below for C2rl we write CHNL. Define 

NSUP = SynciSUPi, SUP 2 ); (25) 

then 

SUP' = S?/nc(NSUP, CHNL). (26) 

As before, write S' = SU{r'}, let P : S'* — » S* be the natural projection of S'* 
to S* , and define the new natural projection 

PcHNL:^^{r,r'}*. (27) 



Proposition 2 Given NSUP in (25) and SUP' in (26), suppose there exists a 
string t = sr G L(NSUP), such that 

(I) r e E u , 

(II) {Ps)r e L(G), 
(m) s e L(SUP'). 

Then Pt e L(SUP). 

Remark 3 Condition (i) says that r is uncontrollable; condition (ii) means that 
the generated strings as viewed through P should belong to L(G); condition (iii) 
states that s is generated by SUP'. 

Proof of Proposition^ Because s € L(SUP') and SUP is delay-robust with re- 
spect to r, we have Ps £ L(SUP). As SUP is an optimal supervisor, L(SUP) is 
controllable with respect to G; further, 

{Ps)r £ L(S\JP)S U n L(G) C L(SUP). 

Hence, Pt = P(sr) = (Ps)r £ L(SUP). □ 
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Suppose an implementation fault occurs, namely there exist r G S u and s £ 
L(SUP') such that sr £ L(NSUP), 5(0 5J P C hnls) = 1, but sr $ L(SUP'). By 
Proposition^ [Ps)r € L(SUP); thus we see that the fault will not cause violation 
of the specification. 

The above result can easily be extended to a more general case: S c hn contains 
more than one channeled event, i.e. any event, say a £ Echm i s transmitted from 
G2 to SUPi, or from Gi to SUP2, with indefinite delay via its channel CHNL a . 
For i = 1,2, if SUP ; imports event a e S c h n , let SUP?' be the DES obtained 
from SUPi by replacing a by its signal event a . Let 

NSUP = Sync(SVPx, SUP 2 ), (28) 

and thus 

SUP' = Syrac(NSUP, {CHNL a |a G H c hn})- (29) 



For NSUP in p8| , SUP' in p9[ ), and an uncontrollable event r (selected 
arbitrarily) in S c hn, suppose there exists a string t = sr £ L(NSUP), such that 
(Ps)r € L(G) and s € L(SUP'). Then, as in Proposition [2J it can be shown that 
Pt G L(SUP) even if the transmission of r has not been completed by execution 
of r , i.e. the implementation fault of executing r will not cause a violation of 
specification. Since r is arbitrarily selected, we conclude that the implementation 
fault of executing any uncontrollable event in S c hn is accepted by SUP'. 

Next we consider issue (2), namely whether the communication delay of an 
uncontrollable event could lead to violation of a modeling assumption. To formalize 
this issue we make the following definition. 



Definition 4 Given NSUP and SUP' as in ([25) and p6| ), let r £ £ u . If there 
exists s e L(SUP') such that sr e L(NSUP), but sr (£ L(SUP'), then we say 
that r is blocked by CHNL. 

Example 3 For illustration, let SUPi and SUP2 be the generators shown in 
Fig. [9] Assume event 20 in SUP2 is exported to SUPi, i.e., r = 20 and r' 
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120; SUPi is obtained by replacing 20 in SUPi by 120. As shown in Fig 
SUP' = Syic(SUPi,CHNL,SUP 2 ) is easily verified to be delay-robust with 
respect to event 20. Define NSUP = Sync(SUPi, SUP 2 ). Let s = 20.21; then 
s.20 e L(NSUP), but s.20 £ L(SUP'). Since SUP' = Sync(NSUP, CHNL), 
event 20 is blocked by its channel CHNL. 

Event r will be blocked by CHNL only when CHNL is in state 1, at which r is 
not defined. So we create a new generator, which accepts sr when s leads CHNL 
to state 1. On this basis the following algorithm is proposed to verify whether or 
not r is blocked by CHNL in SUP'. 

Algorithm 1 (i) Marking all the states of NSUP, we obtain a generator 
MNSUP with 

L m (MNSUP) = L(NSUP). (30) 

(ii) Create a generator 

NCHNL = ({0, 1, 2}, {r, /}, 5 N ,0, {2}) 
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where 6 N = [[0,r, 1], [l,r',0], [l,r,2], [2,r,2]], as shown in Fig. 

(iii) Let TEST = 5ync(MNSUP, NCHNL), and TTEST~^= Trim{ 
TEST). 
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20 ^ 21 
Fig. 9 Example [3] SUPi and SUP 2 





Fig. 10 Example [3] SUP' and NSUP 



Note that NCHNL has the same alphabet {r, r'} as CHNL. Also 
MNSUP does not change any event label in NSUP, thus its alphabet is 
Hence, 

L m (TTEST) =L m (TEST) (by definition of Trim) 
=L m (MNSUP) I \L m (NCHNL) 

(by definition of Sync) 
=L m (MNSUP) n fc^ NL L ra (NCHNL) 



({r,/} C I7',Pchnl is defined by {27}) 
=L(NSUP) n PcHNL^m (NCHNL) 



(by (30)) 
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Remark 4 Since TTEST = Trim(TEST), TTEST is trim, i.e. TTEST is reach- 
able and coreachable [14]. If L m (TTEST) is empty, which implies that there are no 
marker states in TTEST, then TTEST is empty. On the other hand, if TTEST 
is empty, obviously L m (TTEST) is empty. We conclude that TTEST is empty 
iff L m (TTEST)is empty. So, TTEST is nonempty iff 

(3s £(SU {r'})*)s £ L(NSUP) n PcH NL £m(NCHNL). 

We use the state set of TTEST to identify whether or not r is blocked by 
CHNL. 

Theorem 3 Let TTEST be returned by Algorithm 1. Then r is blocked by CHNL 
if and only if TTEST is nonempty. 

Proof. (If) If event r is blocked by CHNL, there exists s £ L(SUP') such 
that sr £ L(NSUP), but sr £ L(SUP'). By s £ L(SUP'), a £ L(NSUP) n 
• P chnl L ( CHNL )- Thus ; Pchnls £ L(CHNL). By sr <£ L(SUP') and sr £ 
L(NSUP), (-PcHNLs)r ^ L(CHNL). According to the transition structure of 
CHNL, L(CHNL) = (rr')*. We claim that Pchnls £ (rr' )*r. O therwise, 
-Pchnls G (rr' )* . Since P c hnls G L(CHNL) and L(CHNL) = (rr')*, Pchnl( 
sr) £ (rr')*r C (rr')*rr' C (rr')* = L(CHNL), which contradicts (-PcHNLs)r ^ 
L(CHNL). It follows that (PcHNLs)r G [rr')*rr, so 5 N (0, Pchnl (sr)) = 2. 
Hence, PcHNL(sr) G L m (NCHNL). It follows from sr £ L(NSUP) that 

sr £ L(NSUP) n Pch NL L m (NCHNL) = L m (TTEST). 

Thus, TTEST is nonempty, as claimed. 

(Only if) If TTEST is nonempty, there exists a string t £ L m (TTEST). 
Since L m (TTEST) = L(NSUP) n P c " HNL L m (NCHNL), t £ L(NSUP) and 
Pchnl* G L m (NCHNL). By Pchnl* G L m (NCHNL), and L m (NCHNL) = 
(rr')*r(rr*), Pchnl* G (rr')*r(rr*), thus there exist s G (S U {r'})* and v £ 
S* such that t = srv with Pchnls G (rr')*r and Pchnl" G r*. We show 
that (i) Pchnls G L(CHNL), and (ii) PcHNL(sr) £ L(CHNL). For (i), since 
<5(0, (rr')*) = (6 is the transition function of CHNL) and 5(0, (rr')*r) = 1, 
5(0, Pchnls) = 5(0,(rr')*r) = 1, thus, Pchnls G L(CHNL). For (ii), 

£(0, Pchnl (sr)) = 5(0, (P C HN L s)r) 

= 5(5(0, Pchnls), r) 
= 5(1, r). 

However, 5(1, r) is not defined in CHNL. Hence, PcHNLsr ^ L(CHNL). 
Since t £ L(NSUP), s,sr £ L(NSUP). So, 

s £ L(NSUP) n P C " HNL L(CHNL) = L(SUP') 
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and 

sr <£ L(NSUP) D Pchnl l (CHNL) = L(SUP'). 
By Definition [4j we conclude that r is blocked by CHNL. □ 

All the steps in Algorithm [l] can be implemented by standard software (e.g. 
[23] ) , and their validity and correctness are confirmed by Theorem [3] 

Finally, we consider issue (2) in the general case described before, i.e. £ c hn 
contains more than one communication event. For NSUP in (|28h and SUP' in 



(291, let r G S u H S chn . By (291, if there exists s G L(SUP^such that sr G 
L(NSUP), but sr £ L(SUP ), then r is blocked by communication channels 
CHNLq (a G Schn)- However, for any a G £ c hn — {?"}, since r is not defined at 
any states of CHNL Q , i.e. s.r G ^chnl i(CHNL a ) (the definition of Pchnl,, 
is similar to ( |27| , replacing r and r' by a and a'),r will not be blocked by CHNL a . 
Hence, r is blocked by CHNL (CHNL r is identical to CHNL). 

In Algorithm [l] replacing NSUP and SUP' by the DES in ((28) and ((29 1 



respectively, and letting 

TEST = 5ync(NSUP,NCHNL, {CHNL Q |q G E chn - {r}}), (31) 

we obtain a new algorithm, say Algorithm 2. Let TTEST be returned by Al- 
gorithm 2. As in Theorem [3j it can be proved that r is blocked by CHNL if 
and only if TTEST is nonempty, with the difference that L(NSUP) is replaced 
by L(NSUP) n (n{^cH N L Q £m(CHNL a )ja G E chn - {r}}) in the appropriate 
instances. 

Suppose r is uncontrollable. If TTEST is empty, then 

(Vs G L(SUP'))sr G L(NSUP) =>• sr G L(SUP'). 

So r will not be blocked by CHNL. In this case, SUP is said to be 'unbounded' 
delay-robust with respect to r, similar to when r is controllable. If TTEST is 
nonempty, there exists s G L(CHNL) such that sr G L(NSUP), but sr £ 
L(SUP'). By Proposition^ although we have proved that the occurrence of r 
will not cause a fault which violates the specification, r is blocked by the channel. 
This could violate a modeling assumption since r is an uncontrollable event and 
should never be prohibited or delayed by an external agent. However, if the occur- 
rence of r is received by LOCi before the next occurrence of r, the controllers 
will achieve global optimal nonblocking supervision. In this case, we say that SUP 
is 'bounded' delay-robust with respect to r. 

We illustrate these results by an example adapted from [141. 



4 Example - WORKCELL 

4.1 Model Description and Controller Design 

WORKCELL consists of ROBOT, LATHE and FEEDER, with three buffers, 
INBUF, LBUF and SBBUF, connected as in Fig. (T2( Labeled arrows denote 
synchronization on shared transitions (events) in the corresponding component 
DES. 
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Fig. 12 WORKCELL 

Table 1 Physical interpretation of events 



Event label 


Physical interpretation 


11 


FEEDER imports new part from infinite source 


12 


FEEDER loads new part in INBUF 


13 


ROBOT takes part from INBUF for loading into LBUF 


14 


ROBOT loads part from INBUF into LBUF 


15 


ROBOT takes part from INBUF for loading into SBBUF 


16 


ROBOT loads part from INBUF into SBBUF 


17 


ROBOT takes part from SBBUF for loading into LBUF 


18 


ROBOT loads part from SBBUF into LBUF 


19 


LATHE loads part from LBUF and starts working 


20 


LATHE exports finished part and returns to idle 



WORKCELL operates as follows: FEEDER acquires a new part from an 
infinite source (event il) then stores it (event 12) in a 2-slot buffer INBUF. 
ROBOT takes a new part from INBUF (event 13) and stores it (event 14) in a 
1-slot buffer LBUF; if LBUF is already full, ROBOT may instead take a new 
part from INBUF (event 15) and store it (event 16) in a 1-slot 'stand-by' buffer 
SBBUF. If LBUF is empty and there's already a part in SBBUF, ROBOT 
first unloads the part in SBBUF (event 17) and loads it in LBUF (event 18). 
If LATHE is idle and there exists a part in LBUF, LATHE takes that part 
and starts working on it (event 19), and when finished exports it and returns to 
idle (event 20). Event labels accord with 23 1: odd-(resp. even-) numbered events 
are controllable (resp. uncontrollable) . The physical interpretations of events are 
displayed in Table [I] 

The specifications to be enforced are: 1) SPECi says that a buffer must not 
overflow or underflow; 2) SPEC 2 says that ROBOT can load SBBUF (event 
sequence 15.16) only when LBUF is already full; 3) SPEC 3 says that ROBOT 
can load LBUF directly from INBUF (event sequence 13.14) only when SBBUF 
is empty; otherwise it must load from SBBUF (event sequence 17.18). 

The DES models of plant components and specifications are shown in Figs. fl3] 
and [141 

We first compute the monolithic supervisor by a standard method (e.g. |14| 
[23]). The behavior of WORKCELL is the synchronous product of FEEDER, 
ROBOT, and LATHE. As SPECi is automatically incorporated in the buffer 
models, the total specification SPEC is the synchronous product of INBUF, 
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Fig. 13 Plant models to be controlled 
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Fig. 14 Model of Specifications 




LBUF, SBBUF, SPEC 2 , and SPEC 3 . The monolithic supervisor is 

SUPER = Supcon (WORKCELL, SPEC) 

with (state, transition) count (70, 153). 

Next by use of procedure Localize [14 23 , we compute the localization of 
SUPER (in the sense of [5||6]) to each of the three WORKCELL agents, to 
obtain local controllers FEEDERLOC, ROBOTLOC and LATHELOC, as 
shown in Fig. [15] The local controlled behaviors are 

FEEDERSUP = ^ync(FEEDER, FEEDERLOC), 
ROBOTSUP = Si/nc(ROBOT, ROBOTLOC), 
LATHESUP = Sync(L ATHE, LATHELOC). 

From the transition structures shown in Fig. |15| we see that FEEDERLOC 
(FEEDERSUP) must import events 13 and 15 from ROBOT; ROBOTLOC 
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Fig. 15 Local Controller for each component 

113 
CR13F 
Fig. 16 CR13F and CR15F 




(ROBOTSUP) must import events 12 from FEEDER and 19 from LATHE; 
and LATHELOC (LATHESUP) must import events 14, 15, 16, 18 from ROBOT. 



4.2 Illustrative Cases 

Based on the computed local controllers, we illustrate our new verification tools 
with the following cases. 

Case 1 - Event 13 

Taking FEEDERLOC for example, build a channel CR13F, as shown in 
Fig.|16| using a new event label 113 to represent the corresponding channel output; 
use this label to replace 13 in FEEDERSUP to obtain FEEDERSUP', over 
the alphabet 11,12,113. 

Now compute the channeled behavior SUPER' according to 

SUPER' = 5?/nc(FEEDERSUP', CR13F, ROBOTSUP, LATHESUP) 

over the augmented alphabet {11, 20, 113} and with (state, transition) count 
(112, 276). Next, to check delay-robustness we project SUPER' modulo supremal 
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quasi-congruence with nulled event 113, to get, say, 

QCSUPER' := Supgc(SUPER', Null [113]) 

(deterministic, with size (70,153)) 

Finally we verify that QCSUPER' is isomorphic to SUPER, and conclude 
that SUPER is delay-robust with respect to the channeled communication of 
event 13 from ROBOT to FEEDERLOC. As a physical interpretation, con- 
sider the case where events 11, 12, 11, 12, 13 have occurred sequentially (i.e. there 
exist two parts in INBUF and ROBOT has taken a part from INBUF) and 
FEEDERSUP' has not received the occurrence 113 of event 13. On the one 
hand, if FEEDERSUP' executes event 113 (i.e. it receives the occurrence of 
event 13), it will enable event 11 legally (according to SUPER). On the other 
hand, if FEEDERSUP' does not execute event 113, then ROBOT will load 
the part into LBUF and take another part from INBUF (execute event 15). 
So FEEDERSUP' can enable event 11 again, which is also legal according 
to SUPER. Hence, in this case, the channeled system SUPER' can run 'cor- 
rectly'(no extra behavior violates the specification) and can 'complete' the given 
task (with the help of SBBUF), i.e. the communication delay of event 13 is toler- 
able with respect to SUPER. By the same method, one can verify that SUPER 
is delay-robust with respect to events 12, 14, 15, 16, 18, 19 each taken separately. 

Case 2 - Events 13 and 15 

This case shows that SUPER is delay-robust relative to the event set {13, 15}. 

Similar to CR13F, build another channel CR15F, as shown in Fig. |16| using 
a new event label 115 to represent the corresponding channel output. Use labels 
113, 115 to replace 13, 15 in FEEDERSUP to obtain FEEDERSUP', over the 
alphabet 11,12,113, 115. 

We compute the channeled behavior SUPER' according to 

SUPER' = 5ync(FEEDERSUP',CR13F, CR15F, 

ROBOTSUP, LATHESUP), 

over the augmented alphabet {11, 20, 113, 115} and with (state, transition) 
count (148, 444). Next, to check delay-robustness we project SUPER' modulo 
supremal quasi-congruence with nulled events 113, 115, to get, say, 

QCSUPER' := S'upgc(SUPER', Null[113, 115]) 

(deterministic, with size (70,153)) 

Finally QCSUPER' turns out to be isomorphic to SUPER, and we con- 
clude that SUPER is delay-robust with respect to the channeled communica- 
tion of events 13, 15 from ROBOT to FEEDERLOC. Briefly, the reason is 
that FEEDERSUP' will enable event 11 after it executes event 113 or 115, and 
ROBOT will remain idle if no more parts are loaded into the system (i.e. event 
11 cannot occur again). 

Case 3 - Events 15 and 19 

This case shows that SUPER being delay-robust with respect to each event 
(15 or 19) taken separately does not imply that SUPER is delay-robust with 
respect to the set {15, 19}. 
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212 



Fig. 18 NCF12R 

Events 15 and 19 are shown, by Definition [5J to be delay critical when they 
are both delayed by an indefinite time. By tracking the working process, we show 
that communication delay of both events 15 and 19 may result in violation of 
SPEC2. Consider the following case: events 11,12,11,12,13,14,19 have occurred 
sequentially, i.e. there exists one part in INBUF, ROBOT has loaded a part 
in LBUF and LATHE has taken the part from LBUF (i.e. LBUF is now 
empty). Since the transmission of event 19 is delayed unboundedly, if ROBOT 
does not know that LATHE has taken the part from LBUF, it may take a new 
part from INBUF (event 15) and load it into SBBUF (event 16) according to 
ROBOTSUP'. In this case, if there was no communication delay in transmitting 
event 15 (i.e. LATHESUP can observe the occurrence of event 15 instantly), 
event 15 will not occur when event 19 has occurred due to the synchronization of 
LATHESUP and ROBOTSUP' (according to LATHESUP, event 15 should 
not happen after event 19 occurred). Now event 15 is delayed indefinitely; thus 
LATHESUP' does not know the occurrence of event 15 before it receives the 
information (event 315) and event 15 (following with event 16) will occur be- 
fore event 14 or 18 occurs (permitted by synchronization of LATHESUP' and 
ROBOTSUP'), i.e. the event sequence 11.12.11.12.13.14.19.15.16 occurs in the 
plant with communication delay, but violates SPEC2. Hence, the event subset 
{15, 19} is delay-critical with respect to SUPER. 

Case 4 - Event 12 

This case shows that although the occurrence of (uncontrollable) event 12 may 
be blocked by its channel CF12R, as shown in Fig. |17| this will not violate the 
specifications. 

Let r = 12 and r' = 212, and create NCF12R similarly to NCHNL, as shown 
in Fig. [18] Take 

NSUPER = Syic(FEEDERSUP, ROBOTSUP', LATHESUP) 

and let MNSUPER be the generator obtained by marking all the states of 
NSUPER. Let 

TTEST = Trim(Sync(MNSUPER, NCF12R)) 

TTEST turns out to be nonempty, indeed, it contains s = 11.12.11.12. Physi- 
cally, suppose 11, 12 and 11 have occurred sequentially, i.e., FEEDER has stored 
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a part in INBUF and taken another part (event 11). After that, FEEDER 
may store the part in INBUF (event 12, which is uncontrollable). Since s is in 
L(SUPER), the occurrence of 12 will not violate global optimal supervision, as 
shown in Proposition [2] However, if ROBOTSUP does not receive the first oc- 
currence of 12, then CF12R is at state 1, and thus cannot transmit the next 
occurrence of 12. So, in the channeled system SUPER', event 12 is blocked by 
CF12R. If transmission of the first 12 is completed (i.e. event 212 occurs) be- 
fore the second occurrence of event 12, then event 12 will not be blocked. In 
SUPER, only event 11 occurs between two occurrences of event 12; thus we say 
that SUPER is 'l-bound'-delay-robust with respect to event 12. 

Case 5 - Event 14 

This case shows that the occurrence of event 14 will not be blocked by its 
channel CR14L, shown in Fig. [TTJ 

Applying Algorithm 1 to event 14, the returned TTEST is empty. We conclude 
that event 14 will not be blocked by CR14L, and SUPER is unbounded-delay- 
robust with respect to 14. To illustrate the conclusion, we consider the following 
case: there exist two parts in INBUF (events 11,12,11,12 have occurred sequen- 
tially), and ROBOT has taken a part from INBUF (event 13) and placed it 



in LBUF (event 14). In Fig. 15] FEEDERLOC is at state 2 and is waiting for 
the occurrence of event 15 (ROBOT takes a part from INBUF); ROBOTLOC 

is at state 5 and is waiting for the occurrence of 19 (LATHE takes a part from 
LBUF) or waiting to enable event 15; and LATHELOC is at state and is wait- 
ing for the occurrence of event 14. Only when the occurrence of event 14 has been 
received by LATHELOC, can event 15 and 19 be enabled by their corresponding 
controllers. Furthermore, event 14 cannot occur again until event 15 or event 19 
occurs. Hence in this case the occurrence of event 14 is not blocked by its channel 
CR14L. 

Case 6 - All communication events 

When all communication events are subject to delay through channels (i.e. 
£>chn = Scom), it can be verified that delay-robustness of SUPER in the strong 
sense of Definition [3] (suitably extended to 3 agents) fails, i.e. SUPER fails to 
be delay-robust for distributed control by localization. Physically, when all the 
channeled events except 15 and 19 are received without delay, Case [6] is reduced 
to Case[3j thus SUPER is not delay-robust with respect to the set including all 
communication events, as confirmed by Corollary 1 in Sect. [3] 



5 Conclusions and Future Work 

In this paper we have studied distributed control obtained by supervisor localiza- 
tion on the relaxed assumption (compared to previous literature [5j[6]) that inter- 
agent communication of selected 'communication events' (channeled events) may 
be subject to unknown time delays. For this distributed architecture we have iden- 
tified a property of 'delay-robustness' which guarantees that the logical properties 
of our delay-free distributed control (i.e. the original DES specifications) continue 
to be enforced in the presence of delay, albeit with possibly degraded temporal 
behavior. We have shown that delay-robustness can be effectively tested, and that 
such tests serve to distinguish between events that are delay-critical and those 
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that are not. The case that an uncontrollable channeled event may be blocked by 
its communication channel is identified and for this a test procedure is provided. 
A simple workcell exemplifies the approach, showing how delay-robustness may 
depend on the subset of events subject to delay, and that a given event may be 
delay-critical for some choices of the delayed event subset but not for others. 

With the definitions and tests reported here as basic tools, future work should 
include the investigation of global interconnection properties of a distributed sys- 
tem of DES which render delay-robustness more or less likely to be achieved. 
A quantitative approach involving timed discrete-event systems could also be an 
attractive extension. 



Appendices 

A Proof of Proposition [l] 

Recall that SUP' = (Y, E' , rj, yo, Y m ). According to natural projection P : E" — > E* which 
maps (E' — E) to e, define 77' : Y X E* — ¥ Pwr(Y) given by 

v'(y,t) = tn(y,s)\s e s'*,n{y,a)\ SzPs = t}. (32) 

Let p be the supremal quasi-congruence on Y with respect to SUP', and define P p : Q —> Y/ p = 
Y. As in ( 14 , Chapt. 6), QCSUP' = (Y, E,fj,y ,Y m ) is defined with fj : Y X E* -> Pwr(Y) 
given by 

v(V, t) ■■= \J{P P (v'(y , t))\P P (y) = !/}, (33) 

"So = p p(yo) and Ym = P p (Q m )- 

Proof. We must prove that QCSUP' represents PL m (SUP') and is a canonical generator. 
(1) We show that QCSUP' represents PL m (SUP'), i.e, 

L m (QCSUP') = PL m (SUP') 

and 

L(QCSUP') = PL(SUP'). 

(i) L(QCSUP') C PL(SUP') 

Let t £ L(QCSUP'). We prove by induction that t £ PL(SUP'). 
Base step: t = e G PL(SUP') trivially. 

Inductive step: Suppose t 6 L(QCSUP'), t £ PL(SUP'), and tot £ L(QCSUP'); we 
must prove ta e PL(SUP'). 

Since ta £ L(QCSUP'), we have rj{yo~, t)\ and7j(j/u", to)!. So, (By £Y)y = rj(yo, t) & rj({7, a)\. 
We have y^ = P p y . Since t 6 PL(SUP'), (3s 6 L(SUP')) Ps = t, i.e. r](y ,s)\. So, 
rj(yo, s) £ rj' (yo-,t), i-e., f?'(j/o, t) ^ 0. Thus, y = P p rj'(yo, t) because QCSUP' is deterministic. 
Since rj(y, a)l and rj(yo,t) ^ 0, the re ex ists y £ rf(yo, t) such that fj(y, a) = P p r\' ' (y, a). Hence, 
r)'(yo,ta)\. However, according to ( |'S2[ i 

ri'(y ,ta) = {r)(y ,s)\s e E* ,r](y , s)\, Ps = ta}. 

Thus, (3s 6 L(SUP')) Ps = ta, so to e PL(SUP'). 

(ii) PL(SUP') C L(QCSUP') 

Let t e PL(SUP'); we show that t 6 L(QCSUP'). 
Base step: t = e e L(QCSUP') trivially. 

Inductive step: Supposing t 6 PL(SUP'), t 6 L(QCSUP'), and to 6 PL(SUP'), we 
show to e L(QCSUP')). 
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Since t S PL(SUP') and t G L(QCSUP'), v'{yo,t) £ 0, fj(yo,t)\; letting y = 77(3/0, t), 
then y = P p -q'(yo,t) because QCSUP' is deterministic. Since ta £ PL(SUP'), there exists 
s' e L(SUP'), i.e. T)(yo,s')\ such that Ps' = ta; thus 

\JW(y',a)\y' ev'(yo,t)} 

= {j{ri'{y',a)\s&Z'*,y' = r){y ,s),Ps = t} (according to (g) 

= {v((v(yo,s),v))\v e r)(r)(yo, s),v)l,Ps = t,Pv = a} 

= {r/(yo, sv)\sv £ £ * , r](yo, sv)\, P(sv) = ta} 

^ (since r](yo, s')\ and Ps' = ta), 

i.e. there exists y E r]'(yo,t) such that r/(y, a)\. Then, P p y = y due to y = P p r]'(yo,t). Hence, 
fj(y, a) = P p r)'(y, a) ^ 0, i.e., rj(y, a)\. So, ta 6 L(QCSUP'). 

(iii) L m (QCSUP') C PL m (SUP') 

For any t 6 17* , if t £ L m (QCSUP'), then (By e Y) y = v{y ,t) & y e Y m . By (i), 
we conclude that t 6 PL(SUP'). Thus, T)'(yo,t) ^ 0- Because QCSUP' is deterministic, 
we know that y = P p r\' (yo , t) . So, P p r)'(yo,t) S Y m . Further, rj'(yo,t) PI Y m ^ 0, i.e., there 
exists s e U'* such that ?j(yo, s)! & v(yo,s) £ Y ra & Ps = t. Hence, s e L m (SUP'), thus 
( = p s6 PL m (SUP'). 

(iv) PL m (SUP') C L m (QCSUP') 

For any t £ J7% if t £ PL,„(SUP'), then r/(y ,i)! & »/(yo,t) n Y m ^ 0. By (ii), t 6 
L(QCSUP'), i.e., (By 6 Y) *7(y ,t)! & 5 = rj{y Q ,t)- Since QCSUP' is deterministic, y = 
P p rj'(yo,t). We conclude that P p rj'(yo,t) S Y m from r)'(yo,t) f\Y m ^ 0. Hence, y e Y m , i.e., 
t £ L m (QCSUP'). 

2. We prove that QCSUP' is a canonical(minimal-statc) generator. 

Let v be a congruence on Y defined according to: y = y' (mod v) provided 

(i) {yteZ*)v(y,t)\^j(tf,t)\ 

(ii) (Vt e 17* ) f?(y, ()ev m « 7?(y' , t) e Y m . 

With reference to ( [14] , Proposition 2.5.1), projection (mod v) reduces QCSUP' to a 
state-minimal generator. 

Define P v : Y — > Y/u and write v o p = ker(P y o P p ). Next we will prove that v o p is a 
quasi-congruence on Y,i.e., for all y, y' £ Y, 

P„ o P p (y) = P„ o P p (y') => (Va 6 E)P V o P pV (y, a) = P v o P p T)(y', a). 

Now 

P v oP p (y) = P v oP p (y') 

=► ft(iV(v))=fl/(Pp(y')) 

=* P ! ,(r?(P P (y)),a) = P,(»7(P p (y')),a) 

(cf. (ii) of Proposition 2.5.1 in [l4] ) 
=> Pv(v(y,a)) = P v (rj(y 7 ,a)) 

=> P„(P P (»/'fe,a))) = P,(P P (V(y',«))) 
=> P v oP pV '{y,a) = P v oP p r 1 '{y\a) 

Hence, 1/ o p is a quasi-congruence on Y. Obviously, vop is coarser than p. However, p 
is the supremal quasi-congruence on Y, so for any y,y' £ Y, if Pi/{P P {y)) = Pv{Pp{y'))> i- e -> 
(y>y') S ^ o p, then (y, y') S p, which means that P p (y) = P p (y'). Hence, ^ = _L (namely all 
its cells are singletons). 

We have shown that QCSUP' is a canonical generator. □ 



B Proofs of Lemmas [T]- [3] 

To illustrate the proof idea of Lemmas |1|3| we consider a simpler case where R2 = {a, /?}. As 
in Remarkpl SUP^ is treated as the channeled behavior of SUP^ with event oji+i being 
the channeled event. So, the general case of Lemmas 1 1|3| can be proved by the same method. 
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Table 2 Definition of each DES 



DES 


Alphabet 


Definition 


SUPi 


•SsuPj = E 1 


5ync(Gi,LOCi) 


SUP 2 


•Ssup 2 = £'2 


Sync(G 2 ,LOC 2 ) 


SUP 


^SUP = E 


5ync(SUPi,SUP 2 ) 


SUPi 


^SUPi {«'} " M 


Replacing a in SUPi by a' 


(II. 




two state channel to transmit a 


SUP' 


£ SUP , = r u {«'} 


5ync(SUPi, CH Q) SUP 2 ) 


SUP'/ 


■^SUP" =S' 1 U{a',fS'}-{ a ,fS} 


Replacing a and /3 in SUPi by a! and /?' 


CHfj 


^CH fl ={/9,/3'} 


two state channel to transmit f3 


NSUP' 


Snsup' ^U{a',fl 


Sync(SU'P , {, CH Q ,CH /3) SUP 2 ) 



Table 3 Definition of natural projections 



Natural Projection 


Nulled events 


Px 


^SUP ~* ^SUP, 


E- E[ 


p 2 


^SUP ~* ^SUP 2 


E — E' 2 


n 


y* _v y* 
SUP' ^ SUP^ 


E U {a} - E[ {= E U a' - (E[ U {<*'} - {a})) 




•^SUP' ~~* S SUP 2 


E U {«'} - £ 2 


P CH„ : X SUP' -> £ CH„ 


X 1 - {a} (= -EU {q'} - {a, a'}) 


^a' : -^RTTP' ~ *■ ^SUP 


a' (= EU{a'} - E) 


N,l ' ^NSUP' ~~* S SUPi' 


E U {a, P} - E[ 

(=EU {a',/?'} - (JC; U {a', /}'} - [a, /?})) 


p/ . y* . y* 
JV,2 ■ "^NSUP' -^STJP 2 


SU{a', J 8'} - E' 2 


^JV,CH Q 1 ^NSUP' -> £ CH a 


E U {£'} - {a} (=EU {a>,f}'} - {a, a'}) 


^JV.CHfj : -^NSTJP' ~> E CH fl 


E U {a'} - {/3} (= £ U {«', /3'} - {P, /?'}) 


-P/3' : -^NSXTP' ^STTP' 


{/?'} (=suK?}-(i;uK}}) 


"ct'/9' : ^NSTJP' — * ^SUP 


K,/3'} (=EU{a',P'}-E) 


P ll : S SUP> ~* ( S SUP> - {"})* 


a 


P{ 2 : (E SUF , - {a})* -> J7| upi 


E - {E[} (=EU {«'} - {a} - (Si U {a'} - {a})) 


^f 9 1 S NSUP' ( E NSUP' - 





Let q,/3 be the channeled events imported by LOCi from G2 and transmitted by CH Q 
and CH^ respectively. Let a 1 (resp. /3') be the output for a (resp. /3) in CH a (resp. CH^), 
representing that LOCi (SUPi as well) receives the occurrence of a (resp. /?) in G2- Replacing 
all a in SUPi by a', we obtain SUPi; then 

SUP' = %nc(SUPi, CH Q , SUP 2 ). (34) 

Replacing all a and j3 in SUPi by a' and fi' correspondingly, we obtain SUP'i; and write 

NSUP' = 5ync(SUPi,CH Q ,CH^,SUP 2 ), (35) 

or equivalently 

NSUP' = Sync(SUP'{, CH p , 5j/nc(SUP 2 , CH a )). (36) 

The definition of each DES and its alphabet is itemized in Table [2] and the definition of 
each natural projection is in Tabic [3] 

To prove the lemmas, we first explain the relationship between SUPi and SUPi by 
Lemmas [4] an d [5] let s = si«...SfcaSfc +1 where s, £ (E — {«})* and t = s\a' ...s^a' Sfc+i; as 
shown in Fig.[l9f s £ P 1 _1 L(SUPi) is equivalent to t £ P^ 1 L(SUP' 1 ). 

Lemma 4 1) Let s £ P 1 _1 L(SUPi) and k = #a(s) where #a(s) denotes the number of 
occurrences of a in s. If k = 0, then s £ P^ _1 L(SUPi); if k > 0, write s = sia...S) s ctS) s j l _i 
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Pi(si) a ... Pi (a*) a Pi(s k+1 ) 

supi — o <3 "O O O O <3 



sup; O O-.-O O O -O 



Fig. 19 s e P 1 " 1 L(SUPi) <s> i 6 P^ 1 L(SUP' 1 ) 



J SUP' 




sup; 



Fig. 20 i* = P^P^ 



where Sj £ (17 — {a})*; i/ien sia'...Sfc«'sfc +1 £ Pj 1 L(SUP' 1 ) and siao'...sj.aa'sfe +1 £ 
P^" 1 L(SUP' 1 ). 

2] Lei s e Pf 1 L m (SUPi). L/fc = 0, then s e P^~ 1 L m (SUP / 1 ); if k > 0, then aia! ...s k a! 
s k+1 e P^ 1 L m (SUP' 1 ) and s 1 aa'...s fc aa's fe+1 e P; _1 t m (SUPi). 

Proof. For this proof, we define P^ and P[ 2 as m Table [3] thus P[ = P{ 2 P[i, as shown in 
Fig. |20| Statements 1) and 2) can be proved by the same method. We only prove 1), for the 
following two cases. 

(i) fc = 0. Since fc = 0,s£ (E- {a})* . So Pi (s) £ (E-{a}~ (E- E[))* = (£ SUPl -(a})* 
and P{ 2 (s) e(E- {a} - {E - E[))* = (E S vp 1 - {a})*. It follows that P[ 2 {s) = P 1 (s). By 
s e Pf 1 L(SUPi), Pi(s) 6 L(SUPi). Because k = and SUP^ is obtained from SUPi 
by replacing a with a', Pi(s) G L(SUPi) implies that Pj(s) e L(SUP' 1 ). Hence, P[ 2 (s) = 
Pl(s) e i(SUPi). Due to s 6 (17 - {a})* C (17 U {a'} - {a})*, P^(s) = s. So P[(s) = 

P{ 2 Pli W = *? 2 « e L(SUPi). So . e ^-^(SUPi). 

(ii) fc > 0. Write s = siCf...s; B c«Sf i .+ 1 where Si £ (17 — {a})* (i = 1..., fc + 1). So Pi(s) = 
Pl(si)a...Pi(s fc )aPi(s fc+ i). By s £ p- 1 L(SUP 1 ), Px(s) 6 L(SUPx); thus P 1 (s 1 )a...P 1 (s k ) 
aPi(s k+1 ) G L(SUPi). As in (i), due to #<*(*<) = 0, P 12 (si) = Pt(s<) (i = 1, ...,& + 1). 
So, P[ 2 ( Sl )a...P[ 2 (s k )aP[ 2 (s k+1 ) e L(SUPi); and thus, P( 2 (si)a'...Pi 2 (s fc )a'P^ 2 (s fc+1 ) e 
L(SUP' 1 ). Hence 

Pi 2 (s 1 a'...s k a's k+1 ) = P{ 2 (si)Pl 2 a'...P{ 2 (s k )Pl 2 a'Pl 2 (s k+1 ) 
= P[ 2 ( Sl )a'...P{ 2 (s k )a'P{ 2 (s k+1 ) 

e L(suPi) 

Let s' = sia'...s k a's k+1 . Since s' e (r SUP < - {a})", Pd(s') = s'. So P((s') = P{ 2 - p i'i0') 
= Pi' 2 (*') e ^(SUPi); further s' e P^ 1 L(SUP' 1 ). Let t = siaa'...s t aa's fc+1 ; then P[ x {t) = 
s'. Similarly, ( e P^" 1 L(SUP' 1 ). □ 

Lemma 5 1) Let s 6 P^ 1 L(SUP' 1 ), #a(s) = and k = #a'(s). If k = 0, then s 6 
Pj~ 1 L(SUPi); ifk>0, write s = sia' ...s k a' s k +i where Si £ (17— {a, a'})*; i/ien sia...Sfc«Sfc+i £ 
Pf 1 L(SUP 1 ). 

g; Let s e P 1 ' _1 L m (SUP' 1 ) and #a(s) = 0. If k = 0, i/ten s e P 1 ~ 1 L m (SUPi); if k > 0, 
then sia...s k as k+ i 6 P 1 _1 L m (SUPi). 
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Proof. Define P^ and P[ 2 as in Table |3] Statements 1) and 2) can be proved by the same 
method. We only prove 1), for the following two cases. 

(i) fc = 0. As (i) in the proof of Lemma[I] s £ P~ 1 L(SVP 1 ) can be proved similarly. 

(ii) k > 0. By s £ Pi'-^SUPi), P{(s) £ L(SUPi). By s £ (S SVP , - {a})* , P^(s) = a; 
thus J* (a) = P^P^a) = P{ 2 (s). So J*„( 8 ) e L(SUPi), i.e. 

P[ 2 {s 1 ) a '...P[ 2 {s k ) a 'P[ 2 (s k+1 ) £ L(SUPi). 

As (i), P[ 2 ( Sl ) = J\( Si ) (i = l,...,fc + 1). So, P 1 ( Sl )a'...P 1 ( Sfc )a'P 1 (s fc+1 ) 6 L(SUPi). It 
follows that Pi(si)a...Pi(s fc )aPi(s fc+ i) G L(SUPi). Hence, Pi(sia...s k as k+1 ) £ L(SUPi), 
i.e. Sl a...s k as k+1 £ P" 1 L(SUPi). □ 

Proof of Lemma\l\ First we prove that L(SUP) C P a ,L(SUP'); L(SUP') C P (9 ,L(NSUP'), 
L m (SUP) C P Q ,L m (SUP') and L m (SUP') C P j3 ,L m (NSUP') are proved similarly. 

Let s £ L(SUP) and k = #a{s). Since s £ L(SUP) = P 1 - 1 L(SUPi)nP 2 " 1 L(SUP 2 ), s S 
Pf 1 i(SUPi) and s G P 2 _1 L(SUP 2 ). First suppose fc = 0. By Lemma^ s £ P^ _1 L(SUPi). 
According to the definitions of P 2 and P 2 , a £ P 2 _1 (SUP 2 ) implies that s 6 P 2 _1 L(SUP 2 ). 
Since fc = 0, Pq H a = e (empty string), and thus s £ P^^ L(CH a ). Hence, 

s £ P 1 ' _1 L(SUP' 1 ) n P^ 1 L(SUP 2 ) n P^ o I(CH a ) = L(SUP'). 

Now suppose k > 0. Write a = sia...s k as k +i where #a(sj) = (i = 1, ...fc + 1). Let t = 
SiCta' ...s k aa's k+1 . By Lemma[I] ( £ P 1 '~ 1 L(SUP' 1 ). Because a' £ Xsup^ s £ P 2 _1 L(SUP 2 ) 
implies that t £ P 2 ~ 1 L(SUP 2 ). Additionally, Pc Hq * = ("*')' 6 L(CH Q ), i.e. t £ Pc"^ Q ^( 
CH a ), so t £ L(SUP') and thus s = P a ,t £ pJl(SUP')- We conclude that L(SUP) C 
P a >L(SVP'), as required. □ 

Proof of Lemma^ In the simpler case where P 2 = {a, 0}, we must prove that if there exist 
s £ L(SUP') and v £ -Sgjjp, such that #P(v) = and sv $ L m (SUP'), then there exists t £ 
L(NSUP') such that Pg/i = s and for any w £ £J, sup , if Pp,w = v, then tw L m (NSUP')- 
Let #/3(s) = fc. We consider two cases: k = and fc > 0. 

(i) fc = 0. Let t = a; then P fit (t) = s. By s £ L(SUP'), a £ P^ 1 L(SUP' 1 ), s £ 
P 2 _1 L(SUP 2 ), and s £ P^ifCH,,). By Lemma [I] since fc = 0, t £ P^ 1 1 L(SUP' 1 ')- 
By s £ P^ 1 X(SUP 2 ), P 2 (s) £ L(SUP 2 ). Since s £ (I7 SU p; - {/?})*, P^ )2 (s) = P 2 (a); thus 
P^ j2 (s) £ L(SUP 2 ). So i = s £ P^ 2 1 L(SUP 2 ). Similarly, t £ P^ch„ L ( CH «)- Duc to 
#/J(t) = 0, P' N>fmf t = e £ L(CH ). So t £ P^ H(5 i(C%). By g, t£ L(NSUP'). We 
claim that for any to £ -^Jjsup' if Pp'W = w , then tui ^ L m (NSUP'). Otherwise, there exists 
w £ ^nsup" P 0' w = and tw e im(NSUP'). Since t = s £ (£ SUP , - {/?})* (#/3(s) = 0) 
and tw £ L m (NSUP'), #/3'(w) = and thus #fi(w) = 0. Furthermore, by P^/w = v, w = v. 
Hence, sj; = to £ L m (NSUP'), i.e. sv £ P^'lmfSUP"), stJ £ P^~ 2 1 L m (SUP 2 ) and sv £ 
P jvTch q L ( CH «)- B y Lemma [i] sv £ P^ 1 1 L m (SUP' 1 ') implies that sv £ P^ 1 L m (SUP' 1 ). 
Since sv £ (X'gtjp' — {/?}*), Pn,2( sv ) = P 2 ( sl >)- So £ P^J~ 2 L m (SUP 2 ) implies that 
sv £ P^ 2 L m (SUP 2 ). Similarly, si) £ P^ Q L m (CH Q ). By Q, si) £ L m (SUP'); hence 
a contradiction. 

(ii) fc > 0. Write s = s 1 /3...s k /3s k+1 where 8j £ (I7 SU p/ - {/?})* (thus #/3(si) = 0) (i = 
l,...,fc + 1). Let i = siPP'...s k PP's k+ i; thus P^t = s. By s £ L(SUP'), s £ P^ 1 L(SUP' 1 ), 
s £ P 2 _1 L(SUP 2 ), and s £ P^LfCHJ. By Lemma [i] s £ P^" 1 L(SUP' 1 ) implies 
that i £ P'-jL(SVP'{). As in (i), i £ P^ 2 L(SUP 2 ) and t £ P^ch £ ( CH o) can be 
proved. Additionally, P^ jCMj3 W = W.../9^' £ (^T = L(CH„). So t £ P^LfCH,,). 
By |36l, t £ L(NSUP')- We claim that for any w £ ^jsjgjjp' ^ Pfi'V) — v, then tw ^ 
L m (NSUP'). Otherwise, there exists w £ ^nsup" Pp' w = v and ^ e im(NSUP'). 
By tw £ L m (NSUP'), PA r ,cH f) ( to ) e ^m(CH^) = (W)*. Since P' NiCH/) (t) = PP'-PP', 
P N,CH W = (PP'Y- B y #hPf}'b»)) = #Pb>) = 0, #P(w) = #p'{w) = 0; thus w = v. So 
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tw = tv 6 Lm(NSUP'), and to = sx/3/3' ...s k f3/3' s k+1 v; thus #P(s k+1 v) = 0. By |36f and 
to 6 L m (NSUP'), tv G P'-jL m (S\JP'{), tv G P^LfSUPs), and to G P^IfCHJ. 
By £ strp „ = {£ SUPl U {a', ft} - {a, /3}}, P^(P^ 1 L(SUP' 1 ')) C P^ 1 1 i(SUPi') "(where P^ 
is defined in Table [5|; further, to G P^Ji m (SUP'/) implies that P^to G P^L m (SUP/). 
Hence Ppitv) = si(3' s k /3' s k+1 v G P^-jL™ (SUP/). Similarly, su = sift.., s fc /3s fc+ ii; G 
P^ _1 L m (SUP 2 ) and su G P^^fCHo). By LemmaJS] sv G P^" 1 L m (SUP' 1 ). By E^, 
sv G L m (SUP'), a contradiction. 

We conclude that there exists t G L(NSUP') such that Ppit = s and for any w G -^nsup' 
if P p ,w = a, then tw £ L(NSUP'). □ 

Proof of Lemma^ In the simpler case where R2 = {ct,/3}, we must prove that if there exist 
s G L(SUP') and a G ^sup' such that so g L(SUP'), then there exists t G L(NSUP') such 
that Ppit = s and for any w G ^Jjsup' ^ Pp' w = CT i then to ^ L(NSUP'). 
Let k = #/3(s). We consider two cases: fc = and k > 0. 

(i) fc = 0. Let i = s. As (i) in the proof of Lemma |2l t G L(NSUP'). We claim that 
for any w G ^ sup , if Ppiw = o, then tw ^ L(NSUP'). Otherwise, there exists w G 
^nsup" P P' W = v and tw e i(NSUP'). If cr ^ ft then to G (£ SUP / - {/3})*. Since 
to G L(NSUP'), -PjvcH^^ e L ( CH /3); thus #ft(toj) = 0. Further, due to P , 



w 



w = o. So so- = tw G L(NSUP'). Similar to (i) in the proof of Lemma [2] so G L(SUP'). 
Hence, a contradiction. If o~ = ft due to P' N CH ^t«i G L(CH^), then «) = /3 or ui = (5/3' . If 

w = ft then toft G L(NSUP'). So, in both cases t/3ft G L(NSUP'). Similar to (ii) in the 
proof of Lemma[2] s/3 G L(SUP'), which contradicts sa £ L(SUP'). 

(ii) k > 0. Write s = si(3...s k /3s k+1 where s; G (£ SUP / - {/?})* (thus #ftsj) = 0) 
(i = 1, fc + 1). Let i = si/3ft ...s k (3/3' Sfc+i- We claim that for any ui G -^jsup' ^ PpiiD = o, 
then to> ^ L(NSUP'). Otherwise, there exists w G -^nsup" P 0' w = v and tw e L(NSUP'). 
If o- ^ ft due to P pl {w) = ft #/3(w) = 0. Since P' NCU t = /3ft. ../3ft G L m (CH^), and 
P JV CH^*" 1 e £( CH /s): and #P'( W ) = 0- So w = o, and thus ta = tw G L(NSUP'). Similar 
to (ii) in the proof of Lemma [2] sa G L(SUP'), a contradiction. If c = ft as in (1), t/3ft G 
L(NSUP'). Similar to (ii) in the proof of Lemma| s/3 G L(SUP'), again a contradiction. 

We conclude that there exists t G L(NSUP') such that Ppit = s and for any w G -^Jjsup' 
if Ppiw = a, then to g L(NSUP'), as required. □ 



C Delay-Robustness of Decentralized Controllers 

Let G be the DES to be controlled, and LOCi and LOC2 be two decentralized controllers, 
which achieve global supervision with zero-delay communication. Let Ui, Ui a be the event set 
and observable event set of LOCi, respectively (i = 1, 2). Assume event r G Ui D (U20 — £>lo)> 
which is not observed by LOCi, but is observed by LOC2 Hence, r should be transmitted 
to LOCi. We use the channel C2rl, as shown in Fig.JT] to transmit r and use r' to represent 
that LOCi receives the occurrence of r. Then, replacing r by r' , we obtain LOC/. Let 
SUP = Syic(G,LOCi,LOC 2 ), SUP' = S«nc(G,LOC' 1 ,C2rl,LOC 2 ), and QCSUP' = 
Supqc(SUP',Null[r']). Finally, by Theorem]!] if SUP w QCSUP', SUP is delay-robust 
with respect to r, or LOCi and LOC 2 achieve global supervision with unbounded delay 
communication. 
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